000019130 - User initially shows passcode accepted and node secret sent, but second authentication fails with node secret mismatch: cleared on agent but not on server for RSA Authentication Agent 7.x for Windows

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jan 23, 2020
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000019130
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows  
RSA Version/Condition: 7.x
Issue

The user initially receives a message of passcode accepted. The RSA Authentication Manager server log shows that the passcode was accepted and the node secret is sent to the agent. However, the second and subsequent authentication attempts fail with the RSA Authentication Manager server log showing the following message:



Node secret mismatch: cleared on agent but not on server.



RTM_NS_mismatch_cleared_agent
 

CauseThe error happens because the node secret cannot be written on the RSA Authentication Agent.

This could be a user permissions or UAT issue. The user may not have rights to write to Winnt\System32 or the registry or disk on this computer.

RSA Authentication Agent 7.x for Windows writes the node secret file named securid to C:\Program Files\Common Files\RSA Shared\\Auth Data.
ResolutionThe node secret on an RSA Authentication Agent for Windows is named securid and is stored on the agent in C:\Program Files\Common Files\RSA Shared\\Auth Data.

If the node secret was sent to the agent, but does not exist on the agent, the problem is that the node secret was not written to C:\Program Files\Common Files\RSA Shared\\Auth Data after it was sent to the agent. This indicates some type of permissions or privilege issue, or a locked down folder due to UAT.

The resolution would be to ensure that the node secret can be written to the C:\Program Files\Common Files\RSA Shared\\Auth Data directory, by doing one or more of the following:
  • Disabling or modifying UAT,
  • Performing the initial authentication with the RSA Control Center by doing a Test Authentication with a local administrator account, or
  • Modifying the folder permissions on C:\Program Files\Common Files\RSA Shared\\Auth Data to allow read/write permissions to the application.
WorkaroundAs a workaround, turn off UAT or perform the initial authentication twice with an administrator account.
Legacy Article IDa6362

Attachments

    Outcomes